Attacks on the biotech and pharmaceutical industry had increased by 50% between 2019 and 2020, according to a BlueVoyant report.
The report highlighted that nation-states are ramping up cyber attacks on companies that are developing vaccines, and this is likely to increase as production and distribution gets underway.
The analysis examined open source records of 25 publicly reported attacks that have taken place in the last four years. It set out to define key risks and how COVID-19 has changed the threat landscape.
Establishing that ransomware is still the number one threat vector for this industry, the report identifies the key risks that companies face and the steps they need to take to mitigate these.
- The number one emerging threat in 2020 is nation-state espionage aimed at stealing COVID-19 vaccine research data. That said, the top threat overall is still ransomware.
- COVID-19 vaccines are the crown jewels in 2020 with eight of the most prominent companies in the race for a vaccine facing high volumes of targeted malicious attacks. These are often out of proportion to their size and larger attack volumes than well-known pharmaceutical giants.
- Biotech and pharmaceutical companies are under daily attacks which include brute force, phishing attempts, and targeting of vulnerable web applications.
- Attacks are escalating. Of the 25 attacks reported to the media since 2017, 10 (40%) took place in 2020.
- Key defenses against such attacks such as securing open remote desktop access ports and phishing security had not been implemented across most of the observed companies.
- 80% of the 20 companies analyzed showed signs of more targeted attack activity.
Commenting on the research, Jim Penrose, COO, BlueVoyant said: “Pharmaceutical companies develop highly lucrative IP, they handle large amounts of patient and healthcare data and as such are a prime target for criminals looking to compromise, steal and exploit information. Now they face an even more elevated risk environment in the current pandemic as well-resourced nation-state actors mount aggressive and focused campaigns.
“Most organizations in this sector are significantly scaling up their digital platforms but cyber posture lags. They need to continuously monitor new attack vectors. Importantly, once they have secured their own systems, they need to look outward to supply chain cybersecurity because this sector, more than most industries, has interconnected digital business ecosystems with many supply chain dependencies. Supply chain cybersecurity is a critical step in ensuring against third-party cyber risk.”
- First, 80% of companies targeted experienced malicious, intentional and focused efforts. Even more troubling, 7 out of 20 showed signs of compromise.
- Second, attackers used automated tools and infrastructure and three quarters used programmatic brute force attacks, meaning they had acquired a credential database and then bought an automated program to target specific companies.
- Third, these incidents occurred without regard to company size, area of focus or geography. The wide distribution of attacks did not follow a clear pattern, which means that organizations were under attack from sophisticated and knowledgeable cyber actors.
Jim Rosenthal, CEO, BlueVoyant, concludes: “The ongoing effort to find a vaccine and cure for COVID-19 is an endeavor we all want to succeed. The high level of cyber risk associated with the firms working on this critical mission ought to be a call for action to take immediate measures to drive down cyber risk.
“Around the globe all citizens want peace of mind that these firms will guarantee confidentiality, integrity, and availability in their research, development, manufacturing, and data management activities as they race against the clock to deliver life-saving breakthroughs.
“We have recently seen the first death of a patient in Germany attributed to ransomware paralysing a hospital’s networks. We need to ensure that the growing surge of attacks against the pharmaceutical sector does not disrupt the delivery of healthcare, and the production and distribution of COVID- 19 vaccines in 2021.”
80% of organizations experienced a cybersecurity breach that originated from vulnerabilities in their vendor ecosystem in the past 12 months, and the average organization had been breached in this way 2.7 times, according to a BlueVoyant survey.
The research also found organizations are experiencing multiple pain points across their cyber risk management program as they aim to mitigate risk across a network that typically encompasses 1409 vendors.
The study was conducted by Opinion Matters and recorded the views and experiences of 1505 CIOs, CISOs and Chief Procurement Officers in organizations with more than 1000 employees across a range of vertical sectors including business and professional services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy. It covered five countries: USA, UK, Mexico, Switzerland and Singapore.
Third-party cyber risk budgets and other key findings
- 29% say they have no way of knowing if cyber risk emerges in a third-party vendor
- 22.5% monitor their entire supply chain
- 32% only re-assess and report their vendor’s cyber risk position either six-monthly or less frequently
- The average headcount in internal and external cyber risk management teams is 12
- 81% say that budgets for third-party cyber risk management are increasing, by an average figure of 40%
Commenting on the research findings, Jim Penrose, COO BlueVoyant, said: “That four in five organizations have experienced recent cybersecurity breaches originating in their vendor ecosystem is of huge concern.
“The research clearly indicated the reasons behind this high breach frequency: only 23% are monitoring all suppliers, meaning 77% have limited visibility and almost one-third only re-assess their vendors’ cyber risk position six-monthly or annually. That means in the intervening period they are effectively flying blind to risks that could emerge at any moment in the prevailing cyber threat environment.”
Multiple pain points exist in third-party cyber risk programs as budgets rise
Further insight into the difficulties that are leading to breaches was revealed when respondents were asked to identify the top three pain points related to their third-party cyber risk programs, in the past 12 months.
The most common problems were:
- Managing the volume of alerts generated by the program
- Working with suppliers to improve security performance, and
- Prioritizing which risks are urgent and which are not.
However, overall responses were almost equally spread across thirteen different areas of concern. In response to these issues, budgets for third-party cyber risk programs are set to rise in the coming year. 81% of survey respondents said they expect to see budgets increase, by 40% on average.
Jim Penrose continues: “The fact that cyber risk management professionals are reporting difficulties across the board shows the complexity they face in trying to improve performance.
“It is encouraging that budget is being committed to tackling the problem, but with so many issues to solve many organizations will find it hard to know where to start. Certainly, the current approach is not working, so simply trying to do more of the same will not shift the dial on third-party cyber risk.”
Variation across industry sectors
Analysis of the responses from different commercial sectors revealed considerable variations in their experiences of third-party cyber risk. The business services sector is suffering the highest rate of breaches, with 89% saying they have been breached via a weakness in a third-party in the past 12 months.
The average number of incidents experienced in the past 12 months was also highest in this sector, at 3.6. This is undoubtedly partly down to the fact that firms in the sector reported working with 2572 vendors, on average.
In contrast, only 57% of respondents from the manufacturing sector said they had suffered third-party cyber breaches in the past 12 months. The sector works with 1325 vendors on average, but had a much lower breach frequency, at 1.7.
“Thirteen percent of respondents from the manufacturing sector also reported having no pain points in their third-party cyber risk management programs, a percentage more than twice as high as any other sector.
Commenting on the stark differences observed between sectors, Jim Penrose said: “This underlines that there is no one-size-fits-all solution to managing third-party cyber risk.
“Different industries have different needs and are at varying stages of maturity in their cyber risk management programs. This must be factored into attempts to improve performance so that investment is directed where it has the greatest impact.”
Mix of tools and tactics in play
The survey investigated the tools organizations have in place to implement third-party cyber risk management and found a mix of approaches with no single approach dominating.
Many organizations are evolving towards a data-driven strategy, with supplier risk data and analytics in use by 40%. However static, point-in-time tactics such as on-site audits and supplier questionnaires remain common.
Jim Penrose concludes: “Overall the research findings indicate a situation where the large scale of vendor ecosystems and the fast-changing threat environment is defeating attempts to effectively manage third-party cyber risk in a meaningful way.
“Visibility into such a large and heterogenous group of vendors is obscured due to lack of resources and a continuing reliance on manual, point-in-time processes, meaning real-time emerging cyber risk is invisible for much of the time.
“For organizations to make meaningful progress in managing third-party cyber risk and reduce the current concerning rate of breaches, they need to be pursuing greater visibility across their vendor ecosystem and achieving better context around alerts so they can be prioritized, triaged and quickly remediated with suppliers.”
BlueVoyant, a global analytics-driven cybersecurity firm, announced the availability of its Managed Detection and Response (MDR) Service for Microsoft Defender Advanced Threat Protection (D-ATP), a unified next-generation anti-virus (NGAV) and endpoint detection and response (EDR) platform.
“The addition of Microsoft Defender Advanced Threat Protection to BlueVoyant’s 100% cloud-based technology portfolio furthers BlueVoyant’s goal of bringing best-of-breed technologies and services to companies of all sizes,” said Jim Rosenthal, CEO of BlueVoyant.
“Given Microsoft’s vision of unified, integrated, and cloud-based security, we recognize the deep strategic and technical value of adding Microsoft Defender ATP to our MDR services as part of our broader strategic integration with Microsoft security technologies in our Managed Services portfolio.”
BlueVoyant’s MDR service is designed for new and existing Microsoft Defender ATP customers who are looking for an elite security operations partner. MDR provides support in monitoring, investigating, responding to, and mitigating advanced attacks on endpoints.
The managed service includes initial setup, continuous policy management, tuning, monitoring, response, and remediation of advanced cyber attacks, backed by 24/7 security operations.
“By combining our Microsoft security portfolio with BlueVoyant security services, we empower our customers to modernize their security capabilities focused on cyber threat detection and response,” said Ann Johnson, Corporate Vice President, Cybersecurity Solutions Group, Microsoft Corp.
“Cybersecurity is complex, but it doesn’t have to be complicated. Advancing our security relationship with BlueVoyant, helps organizations simplify their security operations and scale as they grow.”
BlueVoyant provides real-time and customized threat response and remediation – terminating malicious processes, isolating devices, and manually preventing persistence and lateral movement associated with sophisticated attacks.
BlueVoyant incorporates client-driven rules of engagement (ROE) enabling immediate, decisive action to stop threats that could cripple a network versus non-critical events where a lower-tiered response may be appropriate.